9

So I want to put a website on ipfs, but it has some javascript which calls out to a server that is not the ipfs gateway, so I get cross origin errors. Any idea how to do this?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
syzygy
  • 1,356
  • 3
  • 16
  • 28

2 Answers2

15

You can set the Access-Control-Allow-Origin header and other headers using ipfs config:

ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["*"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Methods '["GET", "POST"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Headers '["Authorization"]'
ipfs config --json API.HTTPHeaders.Access-Control-Expose-Headers '["Location"]'
ipfs config --json API.HTTPHeaders.Access-Control-Allow-Credentials '["true"]'

The values above are just examples; set the real values to what your client code actually needs.

https://docs.ipfs.io/reference/api/cli/#ipfs-daemon has the (minimal) existing docs on this.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
  • Ooo this looks promising. So I do this before I do "ipfs add"? Or does this need to be done on the gateway before it is run? – syzygy Mar 10 '17 at 01:20
  • I *think* you can make changes with `ipfs config` at any time and they take effect without need to restart. But don’t take my word for it… – sideshowbarker Mar 10 '17 at 01:28
  • I guess what I'm missing is, does the daemon need this or is it the gateway? I realize they can be the same machine, but in the case they aren't. – syzygy Mar 10 '17 at 01:35
  • 1
    The daemon needs it. Or I guess more precisely the API needs it, but it needs to be set by the daemon. The daemon then passes the headers to the API. I guess you can set the daemon to pass them to the gateway but I think you don’t need to – sideshowbarker Mar 10 '17 at 01:37
  • Ok I'm still getting the CORS errors: XMLHttpRequest cannot load http://...../README.md. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8080' is therefore not allowed access. I changed the config on both the gateway and the daemon. Who is the origin? Does the gateway act as a proxy? – syzygy Mar 10 '17 at 17:14
  • The origin is the scheme+host+port of the server where your JavaScript client code is running. Is that `https://localhost:8080`? If so, then the API is seeing the right origin at least. But note that setting `API.HTTPHeaders.Access-Control-Allow-Origin` only allows cross-origin requests to the configured API endpoints, e.g., URLs in the form `http://localhost:5001/api/v0/add` (on whatever scheme+host+port the API is configured to be exposed at). – sideshowbarker Mar 10 '17 at 23:18
  • If you instead want to make cross-origin requests to the *gateway*, doing `ipfs config --json Gateway.HTTPHeaders.Access-Control-Allow-Origin '["*"]'` should work. That is, with `Gateway.` instead of `API.` Have you tried that yet? – sideshowbarker Mar 10 '17 at 23:20
  • Also you might try hardcoding the origin you need, like this: `ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '["http:localhost:8080"]'`. The `*` wildcard should work though… – sideshowbarker Mar 10 '17 at 23:22
  • 1
    Also I just did a fresh ipfs install (version 0.4.6) from scratch and I notice that the correct Access-Control-* headers already get set on the gateway by default, without me needing to configure anything… – sideshowbarker Mar 11 '17 at 07:53
  • The first command worked for me but now I'm getting hit with CORB when I try to view a PDF file that I had uploaded successfully to IPFS :( – NYC Tech Engineer Oct 04 '19 at 09:11
2

The syntax in the answer does not work for me on 2021-03-19. Fortunately, the browser-ipns-publish has an example. The syntax used there is

ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin "[\"*\"]"

Not sure if this is due to being run on Windows but it works-on-mine (TM).

Alen Siljak
  • 2,482
  • 2
  • 24
  • 29